Community discussions

MikroTik App
 
Chipburn
just joined
Topic Author
Posts: 18
Joined: Mon Nov 12, 2018 7:20 pm

Rogue IPV6 DNS advertisement Problem, FISHY situation !

Mon Nov 12, 2018 8:05 pm

Hi there,

I have a mikrotik router that is acting as a DNS server for network and also caching the DNS results. The problem is that somehow the Windows PCs are getting IPv6 dns results, "easy" fix is to disable IPv6 in every machine but i tried to investigate a bit further because it a pain to this for every PC and also you cant do it in many Mobile devices. Let me clarify that the Windows PC's are not getting an IPv6 ip from any DHCP ( So no ipv6 dchp rogue server ?? )

My internet is coming from a Speedport modem which is connected to eth1 of Mikrotik that is acting as a PPPOE Client. In the Mikrotik the IPv6 Package isn't installed, also under PPPOE the "use peer dns" is unchecked as well.

In the Speedport the IPv6 DCHP and RA service are disabled as well.

So the problem is that if i do a "nslookup google.com" in a windows machine im getting the following result : ******* = hidden
C:\Users\*********>nslookup google.com
Server: *********
Address: 10.0.0.1

Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4001:806::200e
216.58.210.14
******* = hidden by me

This result is after a ipconfig /flushdns and a flush of the Mikrotik DNS cache. Strange thing is that after the nslookup request im getting an entry in the Mikrotik DNS Cache as well
dns_cache.jpg
So i started sniffing with Wireshark and i found the following coming from the Mikrotik eth1 where the PPPOE Client is running
mikrotik_ipv6.jpg
So can someone more advanced than me explain me what is really happening here?

How is it possible that Mikrotik is responding to IPv6 DNS Requests and Caching them without the IPv6 package installed and if this isn't Mikrotik is it possible that this is from the Speedport Modem which is behind the PPPOE ?

For your help i did the test with only 1 windows PC connected to the Mikrotik and the Speedport modem.

Im totally puzzled.
You do not have the required permissions to view the files attached to this post.
 
Chipburn
just joined
Topic Author
Posts: 18
Joined: Mon Nov 12, 2018 7:20 pm

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

Tue Nov 13, 2018 3:27 pm

I forgot to add my software version and Hardware.

# nov/13/2018 15:27:35 by RouterOS 6.43.4
# software id = KNCT-9LD2
#
# model = RouterBOARD 962UiGS-5HacT2HnT


Thanks in advance to anyone that can have any idea about this.
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

Tue Nov 13, 2018 4:41 pm

IPv6 and DNS are generally unrelated. A query for a FQDN will return whatever records are assigned to that FQDN. AAAA records are valid DNS records.
 
Chipburn
just joined
Topic Author
Posts: 18
Joined: Mon Nov 12, 2018 7:20 pm

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

Tue Nov 13, 2018 5:02 pm

Hi Tippering,

Thanks for the reply, but i don't get what exactly are you saying ? You mean the that is normal for a DNS over IPv4 to give you the AAAA which is use in IPv6 only.
I get this ok, but what about the IPv6 traffic coming from the Mikrotik ?

Best regards.
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

Tue Nov 13, 2018 5:15 pm

See these pcap screenshots. These are DNS queries sent a Windows 7 machine. Note that it is asking the DNS server for both the A records and AAAA records for google.com. The DNS server dutifully responds to both requests.

IPv4 and IPv6 are communication protocols. DNS is a name resolution protocol. Your systems are using IPv4 to communicate. That doesn't prevent DNS from providing IPv6 addresses over IPv4.
Clipboard01.jpg
Clipboard03.jpg
You do not have the required permissions to view the files attached to this post.
 
Chipburn
just joined
Topic Author
Posts: 18
Joined: Mon Nov 12, 2018 7:20 pm

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

Tue Nov 13, 2018 5:22 pm

Thank you very much Tippenring,

You made clear the DNS part. But what about the IPv6 Traffic coming from the Mikrotik router eth1 where the PPPOE Client is running ?
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

Tue Nov 13, 2018 5:50 pm

If you really have the IPv6 package disabled, I'm not sure why the MT is using IPv6 at all. However, it isn't important. The packet you captured is a simple ICMPv6. The fe80 address is a link local address (like 169.254.x.x in IPv4).
 
Chipburn
just joined
Topic Author
Posts: 18
Joined: Mon Nov 12, 2018 7:20 pm

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

Tue Nov 13, 2018 5:58 pm

Yeap the package isn't enabled,
ipv6.jpg
That traffic and my limited knowledge on the ipv6-dns part was made me to have those wrong assumptions.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Majestic-12 [Bot], nuwang13, Rhydu, Semrush [Bot] and 61 guests